Fix private images being visible to anyone

Change-Id: I1df1a11dd1b9e51d026157f9c7fd8b4a008371d8
Signed-off-by: Sawyer Bergeron <sbergeron@iol.unh.edu>

diff --git a/dashboard/src/booking/forms.py b/dashboard/src/booking/forms.py
index 7ba5af0..9349ac1 100644 (file)
--- a/dashboard/src/booking/forms.py
+++ b/dashboard/src/booking/forms.py
@@ -8,7 +8,6 @@
 ##############################################################################
 import django.forms as forms
 from django.forms.widgets import NumberInput
-from django.db.models import Q
 
 from workflow.forms import (
     SearchableSelectMultipleWidget,
@@ -22,7 +21,6 @@ from resource_inventory.models import Image, Installer, Scenario
 class QuickBookingForm(forms.Form):
     purpose = forms.CharField(max_length=1000)
     project = forms.CharField(max_length=400)
-    image = forms.ModelChoiceField(queryset=Image.objects.all())
     hostname = forms.CharField(max_length=400)
 
     installer = forms.ModelChoiceField(queryset=Installer.objects.all(), required=False)
@@ -40,14 +38,14 @@ class QuickBookingForm(forms.Form):
         elif data and "users" in data:
             chosen_users = data.getlist("users")
 
-        if user:
-            self.image = forms.ModelChoiceField(queryset=Image.objects.filter(
-                Q(public=True) | Q(owner=user)), required=False)
-        else:
-            self.image = forms.ModelChoiceField(queryset=Image.objects.all(), required=False)
-
         super(QuickBookingForm, self).__init__(data=data, **kwargs)
 
+        self.fields["image"] = forms.ModelChoiceField(
+            queryset=Image.objects.difference(
+                Image.objects.filter(public=False).difference(Image.objects.filter(owner=user))
+            )
+        )
+
         self.fields['users'] = forms.CharField(
             widget=SearchableSelectMultipleWidget(
                 attrs=self.build_search_widget_attrs(chosen_users, default_user=default_user)